VoIP phone phreaked by security hole

Researchers have discovered a serious vulnerability in the web interface used to control a commonly-found VoIP phone, SNOM Technology's model 320.

By
John E Dunn
| Feb 12, 2008

|

Share

TwitterFacebookLinkedInGoogle Plus

Researchers have discovered a serious vulnerability in the web interface used to control a commonly-found VoIP phone, SNOM Technology's model 320.

Attackers need the IP address of the phone being targeted to start the attack, but assuming they have this they can use a cross-site scripting approach to hack the phone’s built-in management interface, allowing a range of unwelcome activities.

These include stealing or tampering with phone logs and address book, calling third parties (while appearing to be located at the hacked handset), changing the phone’s text display, and even monitoring conversations in the room in which the phone sits without the victim being aware that it is happening. Any calls made from the ‘phreaked’ handset would be at the owner’s expense.

The outfit that uncovered the issue – GNUCitizen – has posted proof-of-concept code. German company SNOM has been informed, a GNU spokesperson said, but the company had not responded or given an indication of a likely timescale for patching.

“By crafting a XSS-CSRF vector he/she can inject a persistent XSS into the address book. When the victim visits the phone book, the XSS worm is silently executed and the attacker gains a total control over the interface and the actions that will be performed in the future. This also circumvents any protection mechanisms like VPN or comparable network layers,” the GNU Citizen blog claims.

“I’ve tried to patch the phone with the latest firmware but that didn’t work - the phone was temporarily disabled after the process and when it began responding again the firmware version was still the same.”
SNOM was asked for comment but had not replied at the time of going to press.

Related

GNUCitizen, which describes itself as an “ethical hacker outfit”, has some form in finding embarrassing bugs in hardware. Only last month, the group humbled the mighty BT by finding an authentication hole in the VoIP element of the BT Home Hub broadband gateway.

VoIP security tends to be ignored because it has yet reach mainstream levels of penetration, but many experts have warned that the technology is in danger if turning the humble home or business telephone into a new class of vulnerable device.

No surprise that the sector is in the rise. This week saw the creation of a new UK company, UM Labs , which plans to start selling a range of security gateways to secure the VoIP traffic in and out of a network. The latest SNOM issue affects the device itself and would not necessarily be protected by such systems. As with other areas of the tech industry, VoIP handset makers could find themselves having to update and patch products as do the makers of every other type of network equipment.